Research and document by Mark Krenz
Created: April 11th, 2012
Last update: May 14th, 2013
On this page I document the results of my research into the default, custom and encryption options for many of the most popular distributions of Linux and the BSDs. I tried my best to include a few versions of some of the most popular ones to show any change in policy. However, I didn't have enough time to install all of them in every combination nor fully install X on some of the distributions. You are most certainly welcome to e-mail me updates to the tables below.
This research is related to the report about the libvte scrollback problem with terminal data being written to disk. After releasing that report, there were several "knowledgeable people" who made uninformed comments such as "most distributions put /tmp on tmpfs by default anyways". This is obviously not true unless you are using the latest version of Arch or unless you have selected an advanced option during install on Mageia or PC Linux OS. Not even Gentoo mentions it in their Handbook or Quick Install Guide. Slackware makes no mention of it in their website. Apparently people missed the memo on tmpfs, the notice about it was on display in the basement of the planning office for the last nine months behind a locked door. ;-)
The focus of this research was on what happens when you choose the default installation options, not what you can do after installation. I think any distribution allows you to install tmpfs after install. For some distributions, I also went on and tried a custom and encrypted install to see the results there. Except for the ones mentioned above, no distribution offered tmpfs as an option during the partitioning stage and anyone who has tmpfs would have had to add it post installation.
Most distributions also default to using gnome-terminal or some other libvte based terminal and I was surprised how many don't offer any other options, such as the xterm. This is a disturbing trend and I'm not sure what the reason is for not including xterm when historically it's always been the most basic terminal option available. xterm is also the most fully capable terminal emulator there is. Sabayon Linux not including vi by default is also just plain weird. I filed a bug report and they said they won't fix it.
In theory tmpfs makes sense but it isn't always a good thing if you're a desktop user. However, I think some people turn it on without completely thinking about the potential consequences. Many GUI programs are designed to recover documents from crashes (ie, Audacity, OpenOffice). Many people like this feature. Probably far more than the number of people who would like to use tmpfs. By default Audacity stores its' data in /tmp and recovers from there in a crash. If someone's system crashed, it would mean losing that recovery data, which I'm sure is not what they wanted to happen.
If you are thinking about turning on tmpfs, you should exercise caution and consider how you use your system and how the programs you use would be affected by losing the data there across a reboot or crash.
One other consideration is that tmpfs is not a perfect solution to fixing the problem of terminal scrollback data being written to /tmp because it is possible for tmpfs data to be swapped out to disk if the kernel decides to do so. Chances are if you're using swap space on your system and run low on memory that your terminal itself may have pages swapped out to disk anyways, but nevertheless it's an issue to consider.
Encryption is a good thing generally, but I can understand why distributions don't default to having it turned on. Support would be a nightmare for one. No way to recover in the event you forget your password. So it's more of a power user thing than something that should be a default and enforced upon people. In a recent Slashdot poll with 25,813 responses that dated 2011-11-21, it showed that over 49% of people admitted to not encrypting their drives. Slashdot is a subset of geeks and power users on the Internet and has a long history of holding single question polls that help to reveal the geek status quo. In the survey, only 12% of the respondents admited to encrypting more than just their home directory, meaning no more than 12% encrypted their /tmp filesystem. Ubuntu, which is probably the most popular distribution of Linux, only offers a home directory encryption option upon installation.
Encryption of your swap partition is a bit of a no brainer and I can think of no excuse for not using it by default. You should still wipe its' contents along with the drive itself when you're done with it though.
So in conclusion, given that the majority of people are not using tmpfs or encryption and the most popular terminal installed is gnome-terminal, the data breach presented by the flaw in libvte is quite significant and users need to be made aware of it.
Below are the results of installing distributions in virtual machines and some notes during and after the install process. Boldface in the "Terminals available by default" column indicates the terminals that are available in the menu system. A ? means I didn't fully check. Sorry.
|Default installs (what most people probably choose)|
|Distro||Version||Has VTE flaw||/tmp on tmpfs||/tmp encrypted||swap encrypted||tmpfs available||Terminals available by default||Notes|
|Arch||2010.05||?||NO||NO||NO||YES||Didn't install X because it's not on CD and this is an old version.|
|Arch||2011.08||YES||YES||NO||NO||YES||xterm||Installed gnome seperately|
|CentOS||5.8||NO||NO||NO||NO||YES||gnome-terminal, xterm, uxterm|
|Linux Mint||12||YES||NO||NO||NO||YES||gnome-terminal, ?|
|Mageia||1||YES||NO*||NO||NO||YES||gnome-terminal||Has option to turn on tmpfs in GUI.|
|PC Linux OS||2012.02 XFCE||YES||NO||NO||NO||YES|
|Puppy Linux||5.2||?||NO||NO||N/A||YES||urxvt (libvte not installed by default)|
|RedHat||7.2 old||NO||NO||NO||NO||NO||Just for a fun comparison|
|Sabayon||7||YES*||NO||NO||NO||YES||gnome-terminal, guake||When I tried to read /proc/$PPID/fd/21 it said stale NFS file handle|
|Sabayon||8||YES*||NO||NO||NO||YES||gnome-terminal, guake||When I tried to read /proc/$PPID/fd/21 it said stale NFS file handle|
|Scientific||6.2||YES||NO||NO||NO||YES||gnome-terminal||Mostly like a Fedora install, so I didn't try the other install methods|
|Slackware||13.37||?||NO||NO||NO||YES||konsole, ?||Didn't install gnome|
|TurboLinux||2008 client||?||NO||NO||N/A||YES||konsole, ?||Couldn't read it was all in Japanese.|
|Ubuntu||4.10 warty||NO||NO||NO||NO||YES||gnome-terminal, ?||tmpfs available since as far back as 2004|
|Ubuntu||6.06 LTS Desktop||NO||NO||NO||NO||YES||gnome-terminal, ?||32-bit|
|Ubuntu||8.04 LTS Desktop||NO||NO||NO||NO||YES||gnome-terminal, xterm,koi8rxterm,lxterm,uxterm||32-bit|
|Ubuntu||9.04 Desktop||NO||NO||NO||NO||YES||gnome-terminal, xterm,koi8rxterm,lxterm,uxterm|
|Ubuntu||9.10 Desktop||YES||NO||NO||NO||YES||gnome-terminal, xterm,koi8rxterm,lxterm,uxterm|
|Ubuntu||10.10 Desktop||YES||NO||NO||NO||YES||gnome-terminal, xterm, lxterm, uxterm, koi8rxterm|
|Ubuntu||11.04 Desktop||YES||NO||NO||NO||YES||gnome-terminal, xterm, uxterm, lxterm, koi8rxterm||Due to unity interface you kinda get 3 choices for term|
|Ubuntu||11.10 Desktop||YES||NO||NO||NO||YES||gnome-terminal, xterm, uxterm, lxterm, koi8rxterm|
|Ubuntu||11.10 Alternate||YES||NO||NO||NO||YES||gnome-terminal, xterm, uxterm, lxterm, koi8rxterm|
|Ubuntu||12.04 beta1||YES||NO||NO||NO||YES||gnome-terminal, xterm, uxterm, lxterm, koi8rxterm|
|OS||Version||Has flaw||/tmp in memory||/tmp encrypted||swap encrypted||mem backed avail||Terminals available||Notes|
|OpenBSD||5.0||?||NO*||NO||YES||YES||xterm, ?||OpenBSD's motto is "Secure by Default". This was a default install, it does clear /tmp on boot, but that only removes files|
|PC-BSD||9.0||YES*||NO||NO||NO||YES||lxterminal, ?||Instead of /tmp, the files are written to the /var partition|
|Custom partioning and options installs (no encryption selected, but choose to manually partition and other options)|
|Distro||Version||Checked||tmpfs choice available||Swap encrypted||Notes|
|Fedora||16||Y||NO||NO*||It does provide the option to encrypt swap, but it's disabled by default.|
|Gentoo||2012-02-22 docs||Y||YES*||NO||Its only available if you know about it. The only place it's mentioned in install docs is deep in the advanced docs, selinux/hardended install|
|Mageia||1||Y||YES*||NO||If you choose "Clean /tmp at each boot" in the advanced options it turns on tmpfs for /tmp|
|PC Linux OS||2012.02 XFCE||Y||NO||NO|
|Pinguy||11.04||N*||?||?||Looks to be the same results as Ubuntu. I tried, but the installer kept freezing up.|
|Ubuntu||6.06 LTS Desktop||N||?||?|
|Ubuntu||8.04 LTS Desktop||Y||NO||NO|
|OS||Version||Checked||tmpfs choice available||Swap encrypted||Notes|
|Encrypted installs (note that none of the distributions I tested defaulted to encryption being enabled)|
|Distro||Version||Tried||Enc Available||Encryption defaults to enabled||Encryption means LVM||Encryption means homedir only||/tmp encrypted||Swap encrypted||Notes|
|Debian||6||Y||YES||NO||YES||NO||YES||YES||By default, it recommends all files on one partition, I choose to do seperate partitions|
|Fedora||16||Y||YES||NO||?||?||?||?||Installer crashed twice when I tried this, so I gave up|
|Gentoo||2012-02-22 docs||N||?||?||?||?||?||?||Most likely, it's possible, I didn't check because of time involved|
|Mageia||1||Y||YES||NO||YES*||NO*||YES||YES||Provides encryption options for LVM or individual partitions|
|OpenSUSE||12.1||Y||YES||NO||YES||NO||YES||YES||Had errors while choosing encrypted setup|
|PC Linux OS||2012.02 XFCE||Y||YES*||NO||YES||NO*||YES||YES||Ideally, this would have worked and offered LVM encryption and manual single partition encryption, but I had errors with installing lvm for the setup.|
|Pinguy||11.04||N*||?||?||?||?||?||?||Probably the same results as Ubuntu 11.04|
|Slackware||13.37||Y||NO*||NA||NA||NA||NA||NA||It might be possible, but the interface and the slackware docs make no mention of this that I could find using google search of site.|
|Ubuntu||6.06 LTS Desktop||N||?||?||?||?||?||?|
|Ubuntu||8.04 LTS Desktop||Y||NO||NA||NA||NA||NO||NO|
|Ubuntu||11.10 Alternate||Y||YES||YES||YES||NO||YES||YES||Alternate disk|
|OS||Version||Tried||Enc Available||Encryption defaults to enabled||Encryption means LVM||Encryption means homedir only||/tmp encrypted||Swap encrypted||Notes|